On one of my FreeBSD servers i have a recent security hole in the sasl auth mechanism.
Someone seems to have found and leaked valid login credentials to the postfix sasl accounts on a dbmail server.
This account was used to send fraudulent mails to a unknown number of recipients. I am still investigating the large log files ...
I know this only since i got an abuse notification from my hosting service provider.
I discovered in the /var/log/maillog very much successful sasl logins/authentications from many different IPs from all over the universe.
So far i use "sshguard" to monitor login failures for ssh and other services and block ip addresses with a pf rule which works perfect.
Even if i change the leaked credentials for one mailbox it is only a matter of time to happen again.
I want to monitor successful postfix sasl authentications when the same credentials are used from different ip addresses to find suspicious activities.
Best solution would be that postfix drops a connection or returns a sasl failure instead of an OK when the connection comes from suspicious ip addresses.
Are there any tools that i can use to monitor the maillog for suspicious succesful sasl authentications ? Or any ideas for better solutions ?
A travelling business person may have mobile internet and mail access on whatever device used for that so different ip addresses during the day can be possible.
But a retired person living/travelling in Europe can not access the server from lets say Brazil.
What would be the best way to classify an successful sasl login "suspicious" or "plausible" ?
Has anyone else ever dealt with any similar issue ?
Someone seems to have found and leaked valid login credentials to the postfix sasl accounts on a dbmail server.
This account was used to send fraudulent mails to a unknown number of recipients. I am still investigating the large log files ...
I know this only since i got an abuse notification from my hosting service provider.
I discovered in the /var/log/maillog very much successful sasl logins/authentications from many different IPs from all over the universe.
So far i use "sshguard" to monitor login failures for ssh and other services and block ip addresses with a pf rule which works perfect.
Even if i change the leaked credentials for one mailbox it is only a matter of time to happen again.
I want to monitor successful postfix sasl authentications when the same credentials are used from different ip addresses to find suspicious activities.
Best solution would be that postfix drops a connection or returns a sasl failure instead of an OK when the connection comes from suspicious ip addresses.
Are there any tools that i can use to monitor the maillog for suspicious succesful sasl authentications ? Or any ideas for better solutions ?
A travelling business person may have mobile internet and mail access on whatever device used for that so different ip addresses during the day can be possible.
But a retired person living/travelling in Europe can not access the server from lets say Brazil.
What would be the best way to classify an successful sasl login "suspicious" or "plausible" ?
Has anyone else ever dealt with any similar issue ?